ArticlePDF Available

ZombieCoin 2.0: managing next-generation botnets using Bitcoin

Springer Nature
International Journal of Information Security
Authors:

Abstract and Figures

Botnets are the preeminent source of online crime and arguably one of the greatest threats to the Internet infrastructure. In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that leverages the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most notably the fact that Bitcoin is designed to resist the very same takedown campaigns and regulatory processes that are the most often-used methods to combat botnets today. Furthermore, we describe how the Bitcoin network enables novel C&C techniques, which dramatically expand the scope of this threat, including the possibilities of flexible rendezvous scheduling, efficient botnet partitioning, and fine-grained control over bots. We validate our claims by implementing ZombieCoin bots which we then deploy and successfully control over the Bitcoin network. Our findings lead us to believe that Bitcoin-based C&C mechanisms are a highly desirable option that botmasters will pursue in the near future. We hope our study provides a useful first step towards devising effective countermeasures for this threat.
This content is subject to copyright. Terms and conditions apply.
Int. J. Inf. Secur.
DOI 10.1007/s10207-017-0379-8
REGULAR CONTRIBUTION
ZombieCoin 2.0: managing next-generation botnets using Bitcoin
Syed Taha Ali1·Patrick McCorry2·Peter Hyun-Jeen Lee3·Feng Hao2
© Springer-Verlag Berlin Heidelberg 2017
Abstract Botnets are the preeminent source of online crime
and arguably one of the greatest threats to the Internet infras-
tructure. In this paper, we present ZombieCoin, a botnet
command-and-control (C&C) mechanism that leverages the
Bitcoin network. ZombieCoin offers considerable advan-
tages over existing C&C techniques, most notably the fact
that Bitcoin is designed to resist the very same takedown cam-
paigns and regulatory processes that are the most often-used
methods to combat botnets today. Furthermore, we describe
how the Bitcoin network enables novel C&C techniques,
which dramatically expand the scope of this threat, including
the possibilities of flexible rendezvous scheduling, efficient
botnet partitioning, and fine-grained control over bots. We
validate our claims by implementing ZombieCoin bots which
we then deploy and successfully control over the Bitcoin net-
work. Our findings lead us to believe that Bitcoin-based C&C
mechanisms are a highly desirable option that botmasters will
This work is supported by the European Research Council (ERC)
Starting Grant (No. 306994).
BSyed Taha Ali
taha.ali@seecs.edu.pk
Patrick McCorry
patrick.mccorry@ncl.ac.uk
Peter Hyun-Jeen Lee
peter.hyunjeen.lee@gmail.com
Feng Hao
feng.hao@ncl.ac.uk
1School of Electrical Engineering and Computer Science,
National University of Sciences and Technology, Islamabad,
Pakistan
2School of Computing Science, Newcastle University,
Newcastle upon Tyne, UK
3Paysafe Group, Cambridge, UK
pursue in the near future. We hope our study provides a use-
ful first step towards devising effective countermeasures for
this threat.
Keywords Botnets ·Bitcoin ·Cryptocurrencies ·C&C
1 Introduction
Botnets are networks of compromised machines, individu-
ally referred to as bots or zombies, and controlled remotely
by a malicious entity known as the botmaster. They were
originally developed as tools for vandalism and to showcase
hacking skills and have evolved into sophisticated platforms
geared towards financial gain and cyberwarfare. Almost
8 years have passed since Vint Cerf’s dire warning of a botnet
“pandemic” [1], and since then the threat has only intensified.
Large botnets today typically number millions of infected
victims, employed in a wide range of illicit activity includ-
ing spam and phishing campaigns, spying, information theft
and extortion [2]. The FBI recently estimated that 500
million computers are infected annually, incurring global
losses of approximately $110 billion [3]. Botnets have now
started conscripting mobile phones [4] and smart devices,
such as refrigerators and surveillance cameras to spam and
mine cryptocurrencies [5]. There are even national security
implications: in the Estonian cyberattacks of 2007, botnets
mounted distributed denial of service (DDoS) campaigns,
crippling Estonian ICT infrastructure and forcing govern-
ment portals, media outlets, banks, and telcos to disconnect
from the Internet [6]. These alarming developments have
prompted US lawmakers to actively pursue legislation to
combat the botnet threat [7].
The fatal weak point for botnets is the C&C infrastructure
which essentially functions as the central nervous system of
123
S. T. Ali et al.
the botnet. Downstream communication comprises instruc-
tions and software updates sent by the botmaster, whereas
upstream communication from bots includes loot, such as
financial data and login credentials. Security researchers
usually reverse engineer a bot, infiltrate the C&C network,
trace the botmaster and disrupt the botnet. The overwhelm-
ing majority of successful takedown operations to date have
relied heavily on exploiting or subverting botnet C&C infras-
tructures [2].
In this paper, we argue that Bitcoin is an ideal C&C
dissemination mechanism for botnets. Bitcoin is a fully func-
tional decentralized cryptocurrency, the popularity of which
has skyrocketed in the wake of the global financial crisis. 1
bitcoin (or BTC) trades at approximately $480 and the cur-
rency has a market cap of approximately $6.17 billion [8].1
Bitcoin trades over $257 million a day, which is a greater vol-
ume of transactions than Western Union and this year some
expect it to overtake Paypal and American credit card net-
works including Discover [9]. At the heart of Bitcoin’s suc-
cess is the blockchain, a massively distributed, cryptograph-
ically verifiable database, maintained over the Bitcoin P2P
network, which tracks currency ownership in near real time.
Bitcoin offers botmasters considerable advantages over
existing C&C techniques such as IRC chatrooms, HTTP
rendezvous points, or P2P networks. First, by piggyback-
ing communications onto the Bitcoin network, the botmaster
is spared the costly and hazardous process of maintaining a
custom C&C network. Second, Bitcoin provides some degree
of anonymity which may be enhanced using conventional
mechanisms like VPNs or Tor. Third, Bitcoin has built-in
mechanisms to harmonize global state, eliminating the need
for bot-to-bot communication. Capture of one bot therefore
does not expose others, and an observer cannot enumerate
the size of the botnet.
Most importantly, C&C communications over the Bitcoin
network cannot be shut down simply by confiscating a few
servers or poisoning routing tables. The Bitcoin network is
designed to withstand these very kinds of attacks. Further-
more, disrupting C&C communication would be difficult to
do without seriously impacting legitimate Bitcoin users and
may break Bitcoin. Any form of regulation would be a fra-
grant violation of the libertarian ideology Bitcoin is built
upon [10]. It would also entail significant protocol modifica-
tion on the majority of Bitcoin clients scattered all over the
world.
We explore in detail the possibility of running a botnet
over Bitcoin. Our specific contributions are:
1. We present ZombieCoin, a mechanism enabling botmas-
ters to communicate with bots over the Bitcoin network
1Bitcoin prices are prone to fluctuation. All figures quoted in this paper
date to September, 2014.
by embedding C&C communications in Bitcoin transac-
tions.
2. We describe how the Bitcoin paradigm enables novel
C&C possibilities including dynamic upstream channels,
fine-grained control over bots, and efficient partitioning
of the botnet.
3. We prototype and deploy ZombieCoin over the Bitcoin
network. Experimental results indicate that bot response
time is generally in the range of 5–12 s.
4. We suggest possible countermeasures against such bot-
nets.
We have also chosen to make the ZombieCoin source
code available (strictly for purposes of academic research).2
Our goal, of course, is not to empower criminal operations,
but to evaluate this threat so that preemptive solutions may
be devised. This is in the spirit of existing research efforts
exploring emergent threats (such as cryptovirology [11] and
the FORWARD initiative [12]).
The rest of this paper is organized as follows: Sect. 2
presents essential background information on botnets and
Bitcoin and motivates the rest of this paper. Section 3
describes the ZombieCoin protocol in detail and proposes
enhancements for additional functionality. Section 4presents
our prototype implementation and experimental results. We
discuss possible countermeasures in Sect. 5, related work in
Sect. 6, and conclude in Sect. 7.
2 Background
We summarize here the evolutionary path of C&C mecha-
nisms, followed by a brief overview of Bitcoin.
2.1 Botnet C&C mechanisms
First generation botnets, such as Agobot, SDBot, and SpyBot
(observed in 2002–2003) [13], maintain C&C communi-
cations over Internet Relay Chat (IRC) networks.The
botmaster hardcodes IRC server and channel details into the
bot executable prior to deployment, and, after infection, bots
log on to the specified chatroom for instructions. This method
has numerous advantages: the IRC protocol is widely used
across the Internet, there are several public servers which bot-
nets can use, and communication is in real time. However, the
network signature of IRC traffic is easily distinguished. More
critically, this C&C architecture is centralized. Researchers
can reverse engineer bots, allowing them to eavesdrop in
C&C chatrooms, identify the bots and track the botmaster.
Researchers also regularly coordinate with law enforcement
to legally take down C&C chatrooms, crippling the entire
2Interested parties are requested to contact the authors via email.
123
ZombieCoin 2.0: managing next-generation botnets using Bitcoin
botnet in just one step. According to insider accounts, two-
thirds of IRC botnets are shut down in just 24h [14].
The next generation of botnets upgraded to HTTP-based
C&C communications. Examples include Rustock, Zeus
and Asprox (observed in 2006–2008). Bots periodically
contact a web server using HTTP messages to receive instruc-
tions and offload loot. HTTP is ubiquitous on most networks
and bot communications blend in with legitimate user traf-
fic. However, web domains can be blocked at the DNS level,
C&C web servers can be located and seized, and the botmas-
ter can be traced.
To adapt, botmasters came up with two major innova-
tions. Bots are no longer hardcoded with a web address prior
to deployment, but with a Domain Generation Algorithm
(DGA) that takes date and time as seed values to generate
custom domain names at a rapid rate. The rationale is that
it is very costly and time-consuming for law enforcement
to seize a large number of domains, whereas the botmaster
has to register only one to successfully rendezvous with his
bots in a given time window. Conficker-C generated 50,000
domain names daily, distributed over 116 Top Level Domains
(TLDs) which proved nearly impossible to block [15]. How-
ever, DGAs can be reverse-engineered. Security researchers
hijacked the Torpig botnet for a period of ten days by regis-
tering certain domains ahead of the botmasters [16].
The second innovation is Domain Flux: botmasters now
link several hundreds of destination IP addresses with a
single fully qualified domain name in a DNS record (e.g.
www.domain.com). These IP addresses are swapped at high
frequency (as often as every 3min), so that different parties
connecting to the same domain within minutes of each other
are redirected to different locations. Furthermore, destination
IP addresses often themselves point to infected hosts which
act as proxies for the botmaster. Yet another layer of confu-
sion can be added into the equation by similarly concealing
the Authoritative Name Servers for the domain within this
constantly changing fast flux cloud.
The third major development in botnet C&C infrastruc-
tures is decentralized P2P networks which have been used by
Conficker, Nugache and Storm botnets in 2006–2007. Bots
maintain individual routing tables, and every bot actively
participates in routing data in the network, making it diffi-
cult to identify C&C servers. However, P2P-based bots also
have weak points: for instance, to bootstrap entry into the
P2P network, Phatbot uses Gnutella cache servers on the
Internet and Nugache bots are hardcoded with a seed list of
IP addresses, both of which are centralized points of failure
[17]. Security researchers have been able to detect P2P traf-
fic signatures, successfully crawl P2P networks to enumerate
the botnet, and poison bot routing tables to disrupt the botnet.
In a concerted takedown effort, Symantec researchers took
down the ZeroAccess botnet by flooding routing advertise-
ments that overwhelmed bot routing tables with invalid or
sinkhole entries, isolating bots from each other and crippling
the botnet [18].
Some botnets employ multiple solutions for robustness,
for example, Conficker uses HTTP-based C&C in addition
to its P2P protocol [15]. More recently botnets have begun
experimenting with esoteric C&C mechanisms, including
darknets, social media and cloud services. The Flashback
Trojan retrieved instructions from a Twitter account [19].
Whitewell Trojan used Facebook as a rendezvous point to
redirect bots to the C&C server [20]. Trojan.IcoScript used
webmail services like Yahoo Mail for C&C communications
[21]. Makadocs Trojan [22] and Vernot [23] used Google
Docs and Evernote, respectively, as proxies to the botmaster.
The results have been mixed. Network administrators rarely
block these services because they are ubiquitously used, and
C&C traffic is therefore hard to distinguish. On the other
hand, C&C channels are again centralized and companies
like Twitter and Google are quick to crack down on them.
2.2 Bitcoin
Bitcoin may be visualized as a distributed database which
tracks the ownership of virtual currency units (bitcoins). Bit-
coins are not linked to users or accounts but to addresses.A
Bitcoin address is simply a transformation on a public key,
whereas the private key is used to spend the bitcoins associ-
ated with that address. A transaction is a statement containing
an input address, an output address, and the quantity to be
transferred, digitally signed using the private key associated
with the input. More complex transactions may include mul-
tiple inputs and outputs. All inputs and outputs are created
using scripts that define the conditions to claim the bitcoins.
Transactions are circulated over the Bitcoin network, a
decentralized global P2P network. Users known as min-
ers collect transactions and craft them into blocks, which
are chained into a blockchain to maintain a cryptographi-
cally verifiable ordering of transactions. Miners compete to
solve a proof-of-work puzzle to insert their block into the
blockchain. New blocks are generated at the rate of approxi-
mately once every 10min. The double-spending problem of
digital currencies is overcome by replicating the blockchain
at the network nodes and using a consensus protocol to ensure
global consistency of state.
Bitcoin was deliberately designed to resist the kind of
centralization, monetary control, and oversight which restrict
fiat currencies [10]. Users have some degree of anonymity3
which may be enhanced using Tor and mixing services. The
decentralized nature of the network and the proof-of-work
puzzle ensures that transactions in the network cannot be
3Bitcoin technically provides pseudonymity, a weaker form of
anonymity, in that Bitcoin addresses are not tied to identity and it is
trivial to generate new addresses.
123
S. T. Ali et al.
easily regulated. Bitcoin can only be subverted if a malicious
party in the network musters more computing power than the
rest of the network combined.
Entrepreneurs and researchers have been quick to rec-
ognize Bitcoin as a new paradigm with wide application.
Projects like Mastercoin [24], Colored Coins [25] and Coun-
terparty [26] use the Bitcoin network as an underlying
primitive to track ‘virtual tokens’ which denote financial
instruments such as bonds and stocks, corporate currencies
such as coupons and tickets, and even digital properties like
subscription services or software licenses.
Namecoin [27], the first official fork of Bitcoin, enables
users to register domains in the Namecoin blockchain as an
alternative DNS outside of ICANN jurisdiction. Applications
towards timestamping have also evolved: Commitcoin [28]
is a research effort that embeds ‘commitments’ to data in
the blockchain, effectively timestamping it. Similarly, Mon-
egraph provides a proof-of-ownership service for digital
artworks [29]. The OneName service [30] allows users to
publicly link their names and Bitcoin addresses by inserting
the corresponding details in the Namecoin blockchain.
3 ZombieCoin
Our work is the first to leverage the Bitcoin network to enable
C&C communications for botnets. As we will demonstrate
in the course of this paper, this new facility offers botmasters
significant advantages over traditional C&C channels. Here
we briefly outline the operation of ZombieCoin:
(1) The botmaster generates a set of Bitcoin credentials, i.e.
a key pair (sk,pk). The public key, pk, is hardcoded
into the bot binary file prior to deployment, so that bots
can authenticate communication from the botmaster.
Bots are also equipped with an instruction set to decode
commands send by the botmaster. Our implementation,
described in Sect. 4, consists of simple instructions such
as REGISTER, PING, UPDATE. with associated param-
eters.
(2) The botnet is then released into the wild. We assume
there is an infection mechanism to propagate the bot-
net. One common example nowadays is for botmasters
to embed advertisements on web pages frequented by
intended victims. When a viewer clicks on the link, he
is redirected to a website hosting malicious code which
executes in the background and infects his machine with-
out his knowledge.
Upon infection, each bot generates a unique bot iden-
tifier. This may be done in various ways. For instance,
Torpig bots derive an 8 byte identifier (nid) by hashing
the victim’s hard disk volume and serial number infor-
mation [16]. Unique identifiers enable the botmaster to
enumerate the botnet, and, as we will demonstrate later,
exercise dynamic fine-grained control over the bots.
(3) Bots then individually connect to the Bitcoin network
and receive and propagate incoming Bitcoin transac-
tions. All network communication for the botnet then
proceeds as per the standard Bitcoin protocol specifi-
cation described in [31]. By adhering to the standard
protocol, the network behaviour of the bots to an out-
side observer is indistinguishable from the traffic of a
genuine Bitcoin user.
(4) The botmaster periodically issues C&C instructions by
obfuscating and embedding them into transactions. Bots
identify these transactions by scanning the ScriptSig
field in the transaction input which contains the botmas-
ter’s public key, pk, and the digital signature (computed
over the transaction) using private key sk. Bots verify
the signature, decode the instructions and execute them
accordingly. These instructions may include commands
to not only spy on the victim and steal his personal infor-
mation, but also to undertake external attacks, such as
send spam emails and launch DoS attacks on specified
targets.
Next we detail various strategies to embed C&C com-
mands in transactions.
3.1 Inserting C&C instructions in transactions
The most straightforward method is to insert C&C data in the
OP_RETURN output script function. The OP_RETURN
function is a recent feature included in the 0.11.0 release of
the Bitcoin Core client and allows users to insert up to 80
bytes of data in transactions. However, a transaction may
only have one OP_RETURN script.
This inclusion is due to immense lobbying by the Bitcoin
community [32]. Developers anticipate the usage of this func-
tion to be along the lines of meaningful transaction identifiers
(similar to text fields in online banking transactions), hash
digests of some data such as contracts [33], cryptotokens,
or even index values to link to other data stores. Analysis
of a recent 80-block portion of the blockchain reveals that
the OP_RETURN field was used in about a quarter of trans-
actions in that portion, indicating that this feature is proving
popular [34]. One company has already launched timestamp-
ing services which rely on embedding hash data in this field
[34].
This bandwidth is more than sufficient to embed most bot-
net commands which are typically instruction sets in the for-
mat <command >< par ameter > ... < parameter >.
For instance, the DDoS attack library for Agobot [13] con-
tains commands: ddos.s yn f l ood <host >< time ><
delay >< port >and ddos.ht t p f l ood <url ><
number >< referrer >< delay >< recur sive>,etc.
123
ZombieCoin 2.0: managing next-generation botnets using Bitcoin
{ inputs: [ { address: '1LQBddrjjUaMLHcd4cG9XnN4cCZbHfREJF' , value: 1445759 } ],
outputs: [ { address: '1EXoDusjGwvnjZUyKkxZ4UHEf77z6A5S4P', value: 6000 },
{ address: '12ARS3euPbdQ9S68xXhmq4ySzSADfMaR1a', value: 6000 }
{ address: '1D3tBJ6b3htSaMhEV3EtTAPLvTHwLBrQPH', value: 1417759 },
{ address: ' ', value: 6000 } ] }
0b 00000000 00000001 000000004042cd1d000000
0b – transacon sequence number
00000000 – transacon type (regular send)
00000001 – currency ID (Mastercoin)
000000004042cd1d – value – converng hex to decimal (1078119709)
Bitcoin Transacon
Mastercoin Transacon
Fig. 1 Decoding a Mastercoin transaction [36]
Agobot has over ninety such commands, and they can be
encoded numerically using efficient schemes like Huffman
coding to fit within the 80 byte limit.
A second approach offering greater bandwidth possibili-
ties is to embed C&C instructions as unspendable outputs.
Prior to release of the OP_RETURN function, this was the
common method by which users inserted custom data into
transactions, and is used by Counterparty [26] and Master-
coin [24]. We dissect a typical Mastercoin transaction in
Fig. 1. The first output address, 1EXoDusjG..., referred to as
the Mastercoin Exodus Address, identifies this as a Master-
coin transaction. The last output address is an unspendable
output, which decodes into a Mastercoin transaction. Very
small bitcoin values are generally associated with such out-
puts because they cannot be redeemed. Up to 20 bytes of
data may be inserted into an unspendable output, and a single
transaction may have multiple such outputs. Proof of Exis-
tence [35], a Bitcoin-based notary public service, timestamps
data by inserting hash digests as multiple unspendable out-
puts in transactions.
Incidentally, however, Mastercoin, Counterparty, and
Proof of Existence have expressed intent to switch to the
OP_RETURN function [32]. As we noted, unspendable out-
puts are inherently wasteful. This method is also clumsy:
Bitcoin clients maintain a live inventory of unspent trans-
action outputs (UTXO) to efficiently verify validity of new
transactions. Clients cannot identify malformed outputs, with
the result that these addresses populate the UTXO data set
indefinitely (since they are never spent), affecting the effi-
ciency of the network as a whole.
A more elegant technique is to communicate C&C mes-
sages by key leakage. Signing two different messages using
the same random factor in the ECDSA signature algorithm
allows an observer to derive the signer’s private key d. Such
instances have already been observed in the blockchain,
resulting in coin theft [37]. In this case, the botmaster frames
the C&C instruction within a 32 byte ECDSA private key
(including padding with random data so that identical com-
mands do not always yield the same private key). This is
followed by an obfuscation technique to give the data enough
randomness to function as a private key. The public key is
then derived.
The botmaster then signs two transactions using the same
random factor k, which will derive two signatures (r,s1)and
(r,s2). Clearly any observer (including our bots) can detect
this C&C message as rappears twice which also allows
them to derive the random factor’s private key, k(as out-
lined in [38]). Once kis known, it is then a trivial operation
to derive the private signing key dand allow the bot to read
the command. Notably this approach has also been used by
Commitcoin [28] to insert hash digests in transactions. Bit-
coins need not be wasted using this method (if the botmaster
fully spends the bitcoins linked to the private key), and band-
width is up to 32 bytes per input. However, two transactions
are needed to transmit the C&C instructions.
A more covert solution is to use subliminal channels.
Simmons [39,40] notably demonstrated that two parties can
set up a secret communications channel in digital signature
schemes. This is again done by exploiting the random factor
used by the signing algorithm. The botmaster creates a C&C
instruction bitstring of length xbits. He then repeatedly gen-
erates signatures on the transaction using different random
factors, until he gets a match, i.e. a signature, the first xbits
of which match the target bitstring. He attaches this signature
to the transaction and publishes it. Nodes receive the transac-
tion, verify that the signature is valid, and propagate it. Bots,
on the other hand, extract the instructions from the first xbits
and execute them.
Bandwidth is very restricted using this technique due to the
one-way nature of the signing function. Generating xbits of
an ECDSA signature to match a bitstring takes on average 2x
iterations. For larger instructions, the botmaster may choose
to split the instruction into smaller target bitstrings inserted
in multiple signatures. We briefly investigate here the practi-
cality of this approach. We use an Intel i7 machine operating
at 2.8 GHz with 8GB RAM, running 64-bit Windows 7, and
we use the OpenSSL toolkit to construct ECDSA signatures
with subliminal channels of incrementing size. In each run,
we construct eight signatures matching a target string and
record the time taken. Results are plotted in Fig. 2.
As demonstrated, it takes under 10 min (600 s) to sequen-
tially generate eight signatures with subliminal channels of
size 14 bits each. Total bandwidth in this case is 8 ·14 bits (14
bytes). We consider here a couple of optimizations: first, we
use multithreading to parallelize operations across the mul-
tiple processors of the machine. It now takes about 3min to
generate eight signatures with 14-bit channels, a reduction
of nearly 65%.
Second, instead of passing each thread a single target bit-
string, we let each thread search across the whole range of
123
S. T. Ali et al.
0 2 4 6 8 10 12 14
0
100
200
300
400
500
600
Bandwidth of Individual Subliminal Channel (bits)
Signature Generation Time (s)
Sequential
Multithreading
Shared-search Multithreading
Fig. 2 Bandwidth versus signature generation time for subliminal
channels
the target bitstrings. The process stops as soon as each indi-
vidual thread has located at least one distinct target. This
shared-search step exploits the randomness of the signature
generation process, increasing the odds of a successful match.
We note an approximate 20% improvement over the basic
multithreading scenario. It now takes approximately only
2 min to generate eight 14-bit subliminal channels, which is
very practical. The botmaster can order the resulting signa-
tures accordingly in the transaction to construct the complete
subliminal channel.
We have considered here four methods to insert C&C
instructions into the blockchain, i.e. in the OP_RETURN
function, as unspendable outputs, via key leakage, and by
creating subliminal channels. The botmaster can pick the
technique of his choice or even combine different methods as
per his requirements. While these channels are sufficient for
typical botnet communications, they are, however, restricted
in that they provide low bandwidth of only a few tens of bytes
per transaction in the downstream direction (i.e. from bot-
master to bots) only. However, occasionally the botmaster’s
communication requirements may exceed these limitations.
We discuss next some novel proposals to expand the C&C
communication channel.
3.2 Extending ZombieCoin
In this section, we describe enhancements to ZombieCoin
to enable upstream C&C communication, delivery of larger
payloads, and efficient fine-grained botnet partitioning.
Upstream communication Botnets require an upstream
channel to send status updates and loot back to the botmaster.
On successful infection, the bot usually sends a registra-
tion message (including bot identifier, machine specifications
and geolocation data) and periodic heartbeat messages. Loot
consists of victim’s login credentials, financial data or pro-
prietary information. It would be prohibitively expensive and
impractical for bots to communicate upstream by embedding
information in Bitcoin transactions. However, the botmaster
may use the downstream channel to periodically announce
rendezvous points where bots can direct upstream commu-
nications. For instance, this could be the web address of a
domain owned by the botmaster.
Similar approaches have been observed in the wild. For
instance, botmasters used a Facebook Wall feed to redirect
Whitewell Trojan bots to C&C servers [20]. This is similar
to using a domain generation algorithm but with one key dif-
ference: DGAs have been reverse-engineered by researchers
to lockdown rendezvous points ahead of time. Some botnets
adapted by seeding DGAs with unpredictable input (such as
current Twitter search trends [16]), which improves the sit-
uation a bit, but the botmaster still has to act within a very
narrow time window to register domains.
In our scenario though, since the Bitcoin network acts as
a near real-time broadcast channel to the bots, the botmaster
can announce rendezvous points as often as he wants, and
bots can start sending upstream messages right away. Typi-
cally the botmaster has a load-balancing solution deployed on
servers at his end to cope with the large amount of incoming
bot traffic (or it would amount to a virtual self-DDoS). To bet-
ter cope, he could provide bots with multiple web addresses.
Bots could even be programmed to fire a randomized timer
before initiating communication.
The botmaster has considerable flexibility in this scenario.
It will take time for law enforcement to neutralize his servers
(depending on geographical location, ISP regulatory pro-
cesses, etc.). This critical window, even if it is a few tens
of minutes, may be sufficient. And if his server is shut down,
the C&C channel over the Bitcoin network is still active,
and the botmaster is free to try again by announcing new
rendezvous points.
There is a further advantage: if bots encrypt the payload
with the botmaster’s public key, they could upload the data to
public locations where the botmaster could easily retrieve it.
This may include services that host user-generated content
such as blogging platforms like Tumbler or WordPress and
cloud storage such as Dropbox, OneDrive and text-sharing
services like Pastebin. These options offer less risk for the
botmaster; he does not have to maintain his own servers or
deploy load-balancing and location-masking services. Bot
payload data are encrypted in case law enforcement confis-
cates it (however, the data may leak secondary information
which may aid in enumerating the size of the botnet or the
location of the bots). There is already a rich literature on
building censorship-resistant communication channels on the
Internet using social networks and public sites in a way that
takedown is very hard [4143].
Larger payloads As we noted earlier, the botmaster may
insert multiple inputs and outputs in a transaction for greater
bandwidth. An alternative for larger messages is transaction
123
ZombieCoin 2.0: managing next-generation botnets using Bitcoin
chaining. The botmaster splits the C&C instruction over sev-
eral transactions where the output of one is the input of the
next and so on. Bots receive the transactions, order them
by examining the input and output fields to reconstruct the
payload. We employ this technique in our proof of concept
implementation, described in Sect. 4, to transmit 256 byte
RSA public keys to the bots. For large payloads (in the order
of tens of kilobytes or more) such as software updates, the
botmaster can announce rendezvous points where bots may
download the data.
Partitioning botnets Botmasters commonly monetize
their activities by partitioning botnets and leasing them as
“botnets for hire” (a typical advertisement in underground
markets cites a price of US $2000 for 2000 bots “consistently
online for 40% of the time” [44]). Partitioning botnets also
enables multitasking and is a good damage control strategy
in case part of the network is compromised. The P2P Zeus
botnet had over 200,000 bots, distributed into sub-botnets, by
hardcoding bots with sub-botnet identifiers prior to deploy-
ment [45]. The Storm botnet assigned unique encryption keys
to bots to distribute them into sub-botnets [46].
This simple approach to partitioning the network does not
permit much flexibility. Ideally the botmaster should be able
to partition botnets dynamically using parameters such as
size, geographical location, machine specification. In such a
scenario, more powerful machines may be assigned to mining
cryptocurrencies, whereas machines with large disk space
could be used to store loot. Machines in the same time zone
could be used to coordinate DDoS attacks. Bots in countries
with lax law enforcement may be used for spam. We present
here an intuitive and elegant solution allowing fine-grained
control over the botnet.
Upon successful infection, bots send a registration mes-
sage to the botmaster, communicating their unique bot identi-
fier and important information about the victim machine such
as machine specification, operating system, and organization.
The botmaster maintains a database of this information and
can periodically direct queries at it.4Sample queries may be
as follows: What are the identifiers of all bots in the UK?
or What are the identifiers of 1000 bots running Mac OS
X?. To direct an instruction to these particular bots, the bot-
master inserts the returned identifiers into a Bloom filter and
transmits the result along with the instruction by embedding
the data in a Bitcoin transaction. ZombieCoin bots receive
the filter result and use their identifiers to check if they are
included in the set. If so, they execute the instructions. This
step essentially converts the broadcast communication mode
of the Bitcoin network to a multicast/anycast mode.
4C&C servers belonging to the Zeus botnet were discovered to main-
tain a similar MySQL database with a web-based administrative GUI
for botmasters [47].
2 4 6 8 10 12 14 16 18 20
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
Fig. 3 False positive rate versus number of bits per member in the
Bloom filter
A Bloom filter is a space-efficient randomized data struc-
ture used to test for set membership [48]. The probability for
a bot identifier that is not in the original set to result in a pos-
itive match is referred to as the Bloom filter’s false positive
rate and is calculated as:
Pf=(1(11/m)kn)k(1ekn/m)k(1)
where mis the size of the Bloom filter in bits, nis the number
of members in the set, and kis the number of hash functions
used. Minimizing Pfw. r. t kindicates that Pfis minimum
when k=(ln 2)·m/n.WeplotinFig.3, the false positive
rate for the ratio m/n, i.e. the number of bits per member.
The botmaster can now compute optimal filter parameters:
to create a partition of 1000 bots with a false positive rate
of less than 1% (10 bots), he will need a Bloom filter of
size 10 ·1000 bits, i.e. approximately 1.2 kB. For 0.5% (5
bots), this would amount to 1.5kB. The result could easily
be transmitted by transaction chaining or uploading the data
to a rendezvous point.
4 Proof of concept
To validate ZombieCoin, we build a 14 node botnet and eval-
uate its performance over the Bitcoin network. We use the
BitcoinJ library [49], which is an open source Java imple-
mentation of the Bitcoin protocol. We chose the Simplified
Payment Verification (SPV) mode [50], which has a consid-
erably low memory and traffic footprint, ideally suited for
botnets. As opposed to Core nodes, SPV nodes do not repli-
cate the entire blockchain but only a subset of block headers
and filter incoming traffic to transactions of interest. Our bot
application is 7 MB in size and the locally stored blockchain
content is maintained at 626 kB. Furthermore, at the network
level, the bot’s traffic is indistinguishable from that of any
other legitimate Bitcoin SPV client.
123
S. T. Ali et al.
From Command To
PING
< 1 > < website > < number of pings >
Botmaster instructs bots to ping a website a certain number of mes
Tenant
Botmaster
Botmaster
Botmaster
Tenant
Tenant
REGISTER
< 2 > < webserver address >
Botmaster instructs bots to send registraon messages to a webserver
RENT
< 3 > < block height > < Tenant Bitcoin address >
Botmaster rents botnet to a Tenant
DOWNLOAD
< 4 > < number of transacons >
Tenant instructs bots to download data from specified number of transacons
SCREENSHOT
< 5 > < webserver address > < number of screenshots > < delay >
Tenant instructs bots to capture screenshots and upload them to a webserver
Botnet
Botnet
Botnet
Botnet
Botnet
Fig. 4 Sequence of commands in the experiment
To simulate a distributed presence, we installed our bots
in multiple locations in the USA, Europe, Brazil, and East
Asia using Microsoft’s Azure cloud platform [51], and ran
two bots locally in our Computing Science Department. The
bots individually connect to the Bitcoin network, download
peer lists, and scan for transactions and by the botmaster (us).
Our experiment loops approximately once per hour
through an automated cycle of rudimentary instructions in
the sequence depicted in Fig. 4. We embed C&C instructions
in the OP_RETURN field and in (3-bit) subliminal channels
in the outputs. Bots are hardcoded with a public key, enabling
them to identify our transactions. Bots receive transactions,
verify, decode, and execute them.
We simulate botnet leasing in Step 3 in Fig. 4. Botmaster
and tenant sign and publish a multi-input transaction contain-
ing the RENT command. Bots verify the input signatures,
record the tenant’s public key, and accept C&C instructions
issued by the tenant for the duration of the lease period. The
RENT transaction is a bona fide contract between botmaster
and tenant and includes the lease payment in bitcoins from
the tenant to botmaster.
When the tenant assumes control, he may send bots new
encryption credentials or software modules. We simulate this
with the DOWNLOAD command which uses transaction
chaining to send bots a 256 byte RSA public key, split over 7
back-to-back transactions. When bots receive the SCREEN-
SHOT command, they capture a snapshot of the victim’s
desktop, encrypt it using the tenant’s RSA public key and
send it to the web address specified.
We collect over 2300 responses from our bots over a 24h
period.5We are interested in the C&C channel latency and
5The C&C transactions pertaining to our experiment can
be identified in the blockchain by transaction input 1Luji-
uygToEddPEmRGMQUGXbsMGmup1Wrs. The initial ‘ping’
command is recorded in Block 319998 (transaction ID: b26b3ea
0d8065d3288a5142580a5f0e372445d27bb51b45a491d2e5f20238c5e).
The final ‘screenshot’ command occurs in Block 320153 (transaction
ID: 326e06b6c187c5d97ad783fc4d7bd67cf9c80894cd9837d5e83b04
ce0f0f4068). Commands can be decoded by setting the offset for each
ASCII character to 125.
0 10 20 30 40 50 60 70 80 90 100
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Bot response time t (s)
Probability that bot response time < t
Fig. 5 Cumulative probability distribution of bot response time
in the time it takes for bots to respond to an instruction. We
define a bot’s response time as the time period from when the
botmaster issues an instruction and it is successfully received
by the bot over the Bitcoin network. To synchronize readings
over multiple time zones, we configure bots to set their clocks
using a common timeserver.
All bots successfully received the botmaster’s instruc-
tions. Figure 5plots the cumulative probability distribution
of the bot response time. Due to the connectivity of the Bit-
coin P2P network, about 50% of the time, the bots responded
within 5 s, and 90% of the time within 10 s. The median
response time is 5.54 s. In the interest of improved visualiza-
tion, our results do not show outliers beyond the 100s mark.
Only in 15 instances (0.6% of the overall communications)
was bot response time greater, ranging from 100–260s.
4.1 Discussion
To summarize thus far: ZombieCoin inherits the key strengths
of the Bitcoin network, namely low-latency communica-
tion, consistent network state, and a distributed decentralized
architecture. The botmaster need not maintain his own C&C
infrastructure, which is a risky and costly endeavour. Bots can
be maintained in isolation from each other. C&C traffic over
the local network is indistinguishable from that of legitimate
Bitcoin users. Upstream channels can be conveniently estab-
lished and Bloom filters enable fine-grained control over the
botnet. We believe our experimental results, together with
the relative ease of implementation using freely available
software, highlight the realistic and practical aspects of Zom-
bieCoin, and we should take seriously the threat of botnets
upgrading C&C communications onto the Bitcoin network.
So far we have assumed bots identify messages from the
botmaster based on transaction input which raises the pos-
sibility of blacklisting the botmaster’s Bitcoin address. This
is not likely to resolve the problem. For one, it would be a
form of regulation, a fundamental violation of the Bitcoin
123
ZombieCoin 2.0: managing next-generation botnets using Bitcoin
ethos [10], and we expect Bitcoin users would be the first to
vigorously resist such attempts.
Second, such a step would require a significant proto-
col upgrade which could potentially degrade performance
and usability of Bitcoin for legitimate users. Miners by
themselves could, with relative ease, cooperate and ensure
ZombieCoin transactions do not appear in the blockchain.
However, this does not solve the underlying problem of the
circulation of ZombieCoin transactions throughout the net-
work. In the current Bitcoin protocol version, nodes that
receive incoming transactions perform checks for correct-
ness (i.e. the input address is valid, the transaction is in the
correct format, sum of inputs equals outputs, the digital sig-
nature is verified, etc.) and then forward the transaction on
to other nodes. Valid transactions are forwarded to all nodes,
irrespective of the number of nodes in the network.
In our implementation described earlier, our bots do
not look up transactions from incoming blocks of the
blockchain (at approximate 10 min intervals), but instead
receive them within a 5–12s window as the transactions
propagate throughout the network. Therefore, even if all
C&C transactions are ultimately rejected by miners, the bots
have already received them, validated them, and carried out
the embedded instructions. Halting the propagation of these
transactions in the Bitcoin network would require the explicit
cooperation of the majority of nodes in the network, neces-
sitating not just protocol modifications, but network-wide
synchronization of nodes against a blacklist that all parties
agree upon.
Furthermore, to defeat any censorship measures the bot-
master can switch to alternate authentication strategies which
do not rely solely on Bitcoin addresses but may use sub-
liminal channels in transaction outputs or digital signatures.
Botmasters could potentially keep switching authentication
strategies, thereby escalating the fight and making it harder
for legitimate clients to use the network.
In theory, an anti-virus installed on a victim’s machine
could scan the Bitcoin network in lockstep with bots and
block incoming C&C instructions. However, new malware is
adept at evading anti-viruses: Torpig bots [16] contain rootkit
functionality, executing their code prior to loading the OS,
or injecting their code into legitimate processes to escape
detection. Others like ZeroAccess contain tripwire mecha-
nisms which suspend anti-virus scanning activity [18].
We would also make mention here of the costs of run-
ning ZombieCoin. At the time of our experiments, it cost
us about 3 cents (0.1mBTC) for every 1000 bytes of data in
the transaction. Our experiment ran over 24h and 250 C&C
instructions were sent at a cost of US$ 7.50. We also note that
since transactions are flooded to the entire Bitcoin network,
the transaction fees would have remained constant regardless
of the number of bots we deployed. These costs are therefore
trivial compared to the profits made by successful botnets
which are typically in the hundreds of thousands of dollars.
Furthermore, Bitcoin-based C&C is also a considerably safer
option compared to existing botnets where the odds of detec-
tion, botnet takedown, and identification of the botmaster are
dramatically higher.
5 Recommendations
Thus far we have found little recognition of this threat
among the Bitcoin community.6However, there has been
some attempt made at raising awareness within the botnet
and hacker communities. Interpol researchers at the Black-
Hat Asia conference recently demonstrated a malware which
downloads specific coded strings from the Bitcoin blockchain
(where they are stored as transaction outputs) and stitches
them together into one command and executes it. Forbes
magazine profiled this threat and others (including a prelimi-
nary version of ZombieCoin [53]), dubbing this phenomenon
blockchain “pollution”, and concluded on the somber note
that there are as yet no easy solutions to this problem [54].
Perhaps we need to shift research focus back to traffic anal-
ysis and malware detection techniques. The new paradigm of
software-defined networking (SDN) may hold some promise:
there is already research suggesting SDN assists significantly
in detecting malware-related anomalies at the network level
[55].
We would stress here an earlier suggestion from the liter-
ature [16]: researchers and law enforcement should cultivate
working relationships with registrars and ISPs to enable
rapid response time to malware threats. If a botmaster
announces rendezvous points over the Bitcoin network, reg-
istrars scattered over the world may need to block sites at very
short notice. Incidentally, third party DNS services (such as
OpenDNS, or Google Public DNS) and cloud-based security
solutions (like Umbrella) may actually prove agile enough
for this purpose [56].
Another approach proposed before, but, to the best of our
knowledge, never applied in practice is to combat the botnet
problem at its root, i.e. the economy that drives it. Ford et al.
propose [57] deliberately infecting large numbers of decoy
virtual machines (honeypots) to join the botnet but remain
under control of the white hats. By disruptive, unpredictable
behaviour, these sybils will actively undermine the economic
relationship between the botmaster and clients. An ad master,
6The Namecoin lead developer was interviewed in 2014 on the possi-
bility of Namecoin being used to empower botnets. His response, “Is
there a real benefit for the zombie computer to use this instead of con-
necting to an IRC channel or else? Updatable IP? It may be less complex
to get IP from hacked computers all over the world or to build a P2P
botnet. As each thing that provides power to its user, it can be used in
a bad or good way (as knives, secure communication software, etc).”
[52].
123
S. T. Ali et al.
for instance, may pay for a certain number of ad impressions,
and the machines may make artificial clicks but this will not
translate to a corresponding increase in actual sales. Targeting
the economic incentive may prove a potent counter to the
botnet threat.
6 Prior work
Botnet-related research follows multiple strands. There are
studies on the botnet economy [5759]. Researchers have
autopsied botnets, including early varieties like Agobot,
SDbot [13], and state-of-the-art worms, Conficker [60],
Storm [61], Waladec [62], and ZeroAccess [45]. There is
extensive work on botnet tracking methods [63,64] and traf-
fic analysis and detection tools such as BotSniffer [65],
BotMiner [66], and BotHunter [67]. Researchers have infil-
trated botnets [16] and documented insider perspectives [68].
Readers interested in comprehensive surveys of the botnet
phenomenon are directed to [69,70].
There is a growing literature on exploring novel C&C
mechanisms so that preemptive solutions may be devised.
We summarize here a few such efforts:
Lee et al. [71] and Szabo et al. [72] propose automated
botnets that derive instructions from pervasive Internet infor-
mation (e.g. stock market figures or major news events). This
data cannot be easily manipulated and C&C traffic blends in
with legitimate user traffic. Such botnets are uncontrolled
and unpredictable. This may not make economic sense, but
hearkens back to earlier days when botnets were mostly built
to enhance standing in the hacker community.
Starnberg et al. present Overbot [73] which uses the P2P
protocol Kademlia for stealth C&C communications. The
authors share our design concerns that bot traffic is covert and
not easily distinguishable. However, there are critical differ-
ences: Overbot nodes carry the private key of the botmaster,
and capturing one bot compromises the entire botnet’s com-
munications. Furthermore, unlike our case where instructions
are circulated within seconds, for Overbot this may take up
to 12 h. ZombieCoin also requires substantially less network
management as the Bitcoin network handles message routing
and global consistency.
The work closest to ours is that of Nappa et al. [74]who
propose a C&C channel overlaid on the Skype network.
Skype is closed source, has a large user base, is resilient to
failure, enforces default encryption, and is notoriously diffi-
cult to reverse engineer, all of which are ideal qualities for
C&C communications. As in our case, disrupting this botnet
would significantly impact legitimate Skype users. However,
unlike Bitcoin, Skype is not designed to maintain low-latency
global consistency of state. Furthermore, after the Microsoft
takeover in 2011, Skype has switched to a centralized cloud-
based architecture [75].
Researchers have also proposed novel C&C mechanisms:
Stegobot [76] creates subliminal channels on social networks
by steganographic manipulation of user-shared images. Zeng
et al. [77] describe a mobile P2P botnet concealing C&C
communication in SMS spam messages. Desimone et al. [78]
suggest creating covert channels in BitTorrent protocol mes-
sages. These solutions present interesting possibilities but are
not very practical, with limitations in terms of bandwidth,
latency and security.
7 Conclusion
In this paper, we have described ZombieCoin, a mechanism
to control botnets using Bitcoin. ZombieCoin inherits key
strengths of the Bitcoin network, namely it is distributed, has
low latency, and it would be hard to censor C&C instructions
inserted in transactions without significantly impacting legit-
imate Bitcoin users. ZombieCoin has a key advantage over
current botnet C&C mechanisms in that common takedown
techniques of confiscating suspect web domains, seizing
C&C servers or poisoning P2P networks, would not be effec-
tive. Furthermore, ZombieCoin enables novel and powerful
C&C communication modes, allowing botmasters to eas-
ily set up upstream channels, expand bandwidth, efficiently
partition botnets, and exercise fine-grained control over indi-
vidual bots. Our prototype implementation demonstrates that
it is easy to implement this C&C functionality by modify-
ing freely available software, and experimental results show
that instructions propagate in near real time on the Bitcoin
network.
We believe ZombieCoin poses a credible emergent threat
and we hope our work prompts further discussion and proves
a step towards devising effective countermeasures.
Acknowledgements This paper is an extended version of work that
was first presented in February, 2015 at the 2nd Workshop on Bit-
coin Research (Bitcoin15) co-located with Financial Cryptography (FC)
[53]. The authors thank Hassaan Bashir, Mike Hearn, Pawel Widera,
and Siamak Shahandashti for invaluable assistance with experiments
and helpful comments.
References
1. Weber, T.: Criminals ’may overwhelm the web’. BBC Home, Jan.
25, 2007. http://news.bbc.co.uk/1/hi/business/6298641.stm
2. Dittrich, D.: So you want to take over a botnet. In: Proceedings of
the 5th USENIX conference on Large-Scale Exploits and Emergent
Threats. USENIX Association, pp. 6–6 (2012)
3. Stevenson, A.: Botnets infecting 18 systems per second, warns
FBI. V3.co.uk, July 16 2014. http://www.v3.co.uk/v3-uk/ news/
2355596/botnets-infecting-18- systems-per-second-warns-fbi
4. Android smartphones ‘used for botnet’, researchers say, July 5
2012. http://www.bbc.co.uk/news/technology-18720565
123
ZombieCoin 2.0: managing next-generation botnets using Bitcoin
5. Vincent, J.: Could your fridge send you spam? Security researchers
report ’internet of things’ botnet. The Independent, Jan. 20 2014.
http://www.independent.co.uk/life-style/gadgets-and- tech/news/
could-your-fridge-send- you-spam-security-researchers-report-
internet-of-things-botnet- 9072033.html
6. David, J.: Hackers Take Down the Most Wired Country in Europe.
Wired Magazine, Aug. 21 2007. http://archive.wired.com/politics/
security/magazine/15- 09/ff_estonia?currentPage=all
7. Hattem, J.: Senate Dem wants to battle botnets. The
Hill, July 15 2014. http://thehill.com/policy/technology/212338-
senate-dem-wants-to- battle-botnets
8. CoinMarketCap. Crypto-Currency Market Capitalizations. Bit-
coinTalk, Jan. 21 2016. https://coinmarketcap.com/
9. Young, J.: VISA: Bitcoin is no Longer a Choice Anymore.
NewsBTC, Dec. 29 2015. http://www.newsbtc.com/2015/12/29/
visa-bitcoin-is-no- longer-a-choice-anymore/
10. Bustillos, M.: The Bitcoin Boom. The New Yorker, April 2013.
http://www.newyorker.com/tech/elements/ the-bitcoin-boom
11. Young, A., Yung, M.: Malicious Cryptography: Exposing Cryp-
tovirology. Wiley, New York (2004)
12. ICT-FORWARD Consortium. FORWARD: Managing Emerg-
ing Threats in ICT Infrastructures, 2007–2008. http://www.
ict-forward.eu/
13. Barford, P., Yegneswaran, V.: An inside look at botnets. In: Malware
Detection. Springer, pp. 171–191 (2007)
14. Westervelt, R.: Botnet Masters Turn to Google, Social
Networks to Avoid Detection. TechTarget, Nov. 10 2009.
http://searchsecurity.techtarget.com/news/1373974/Botnet-masters-
turn-to-Google-social- networks-to-avoid-detection
15. Bowden, M.: Worm: The First Digital World War.Atlantic Monthly
Press (2011)
16. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski,
M., Kemmerer,R., Kruegel, C., Vigna, G.: Your botnet is my botnet:
analysis of a botnet takeover. In: Proceedings of the 16th ACM con-
ference on Computer and communications security (CCS). ACM,
pp. 635–647 (2009)
17. Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer
botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113–127
(2010)
18. Neville, A., Gibb, R.: Security Response: ZeroAccess Indepth.
White paper, Symantec, Oct. 4 2013
19. Prince, B.: Flashback Botnet Updated to Include Twitter as
C&C. SecurityWeek, April 30 2012. http://www.securityweek.
com/flashback-botnet-updated- include-twitter-cc
20. Lelli, A.: Trojan.Whitewell: What’s your (bot) Facebook
Status Today? Symantec Security Response Blog, Oct. 2009.
http://www.symantec.com/connect/blogs/trojanwhitewell-what-s-
your-bot-facebook-status-today [online]. Accessed 22 July 2014
21. Kovacs, E.: RAT Abuses Yahoo Mail for C&C Communica-
tions. SecurityWeek, Aug. 4 2014. http://www.securityweek.com/
rat-abuses-yahoo-mail- cc-communications
22. Katsuki, T.: Malware Targeting Windows 8 Uses Google Docs.
Symantec Official Blog, Nov. 16 2012. http://www.symantec.com/
connect/blogs/malware- targeting-windows-8-uses- google-docs
23. Gallagher, S.: Evernote: so useful, even malware loves it. Ars
Technica, Mar. 27 2013. http://arstechnica.com/security/ 2013/03/
evernote-so-useful- even-malware-loves-it/
24. Willet, J.R.: The Second Bitcoin Whitepaper, v. 0.5, Jan. 2012.
https://sites.google.com/site/ 2ndbtcwpaper/2ndBitcoinWhitepaper.
pdf [online]. Accessed 22 July 2014
25. Rosenfeld, M.: Overview of Colored Coins, Dec. 2012. https://
bitcoil.co.il/BitcoinX.pdf [online]. Accessed 22 July 2014
26. Counterparty: Pioneering Peer-to-Peer Finance. https://www.
counterparty.co/
27. Isgur, B.: A Little Altcoin Sanity: Namecoin. CoinReport, July 16
2014. https://coinreport.net/little- altcoin-sanity-namecoin/
28. Clark, J., Essex, A.: Commitcoin: carbon dating commitments with
Bitcoin. In: Financial Cryptography and Data Security. Springer,
pp. 390–398 (2012)
29. Cawrey, D.: How Monegraph Uses the Block Chain to Verify Dig-
ital Assets. CoinDesk, May 15 2014. http://www.coindesk.com/
monegraph-uses-block-chain- verify-digital- assets/
30. OneName. https://onename.io/
31. Protocol Specification. Bitcoin Wiki. https://en.bitcoin.it/wiki/
Protocol_specification
32. Apodaca, R.L.: OP_RETURN and the Future of Bit-
coin. Bitzuma, July 29 2014. http://bitzuma.com/posts/
op-return-and-the- future-of-bitcoin/
33. Andresen, G.: Core Development Update #5. Bitcoin Foun-
dation, Oct. 24 2013. https://bitcoinfoundation.org/2013/10/
core-development-update- 5/
34. Bradbury, D.: BlockSign Utilises Block Chain to Verify Signed
Contracts. CoinDesk, Aug. 27 2014. http://www.coindesk.com/
blocksign-utilises-block-chain- verify-signed-contracts/
35. Kirk, J.: Could the Bitcoin Network be Used as an
Ultrasecure Notary Service? PCWorld, May 24 2013.
http://www.pcworld.com/article/2039705/could- the-bitcoin-net
work-be-used-as- an-ultrasecure-notary- service.html
36. Mastercoin transaction on Bitcoin Block Explorer. https://goo.gl/
dq1ra3
37. Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M.,
Wustrow, E.: Elliptic curve cryptography in practice. IACR Cryp-
tol. ePrint Arch. 2013, 734 (2013)
38. Johnson, D., Menezes, A., Vanstone, S.: The Elliptic Curve Digital
Signature Algorithm (ECDSA). Int. J. Inf. Sec. 1(1), 36–63 (2001)
39. Simmons, G.J.: The prisoners problem and the subliminal channel.
In: Advances in Cryptology. Springer, pp. 51–67 (1984)
40. Simmons, G.J.: The subliminal channel and digital signatures. In:
Advances in Cryptology. Springer, pp. 364–378 (1985)
41. Burnett, S., Feamster, N., Vempala, S.: Chipping away at censor-
ship firewalls with user-generated content. In: USENIX Security
Symposium, Washington, DC, pp. 463–468 (2010)
42. Invernizzi, L., Kruegel, C., Vigna, G.: Message in a bottle: sail-
ing past censorship. In: Proceedings of the 29th Annual Computer
Security Applications Conference. ACM, pp. 39–48 (2013)
43. Elahi, T., Goldberg, I.: Cordon—A Taxonomy of Internet Cen-
sorship Resistance Strategies. University of Waterloo CACR, 33
(2012)
44. Goncharov, M.: Russian Underground 101 (2012). http://www.
trendmicro.com/cloud-content/us/pdfs/ security-intelligence/white-
papers/wp-russian-underground-101.pdf
45. Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., Bos,
H.: Highly resilient peer-to-peer botnets are here: an analysis of
gameover zeus. In: 2013 8th International Conference on Malicious
and Unwanted Software: “The Americas” (MALWARE). IEEE, pp.
116–123 (2013)
46. Naraine, R.: Storm Worm botnet partitions for sale, Oct. 15
2007. http://www.zdnet.com/blog/security/storm-worm-botnet-
partitions-for-sale/592
47. Insight a ZeuS C&C server. http://www.abuse.ch/?p=1192, March
20 2009
48. Bloom, B.H.: Space/time trade-offs in hash coding with allowable
errors. Commun. ACM 13(7), 422–426 (1970)
49. BitcoinJ: A Java implementation of a Bitcoin client-only node.
https://code.google.com/p/ bitcoinj/
50. Nakamoto, S.: Bitcoin: A Peer-to-peer Electronic Cash System.
http://www.bitcoin.org/bitcoin.pdf (2009). [online]. Accessed 22
July 2014
51. Azure: Microsoft’s Cloud Platform. https://azure.microsoft.com/
en-gb/
123
S. T. Ali et al.
52. Interview with khalahan—namecoins lead developer, June
2014. http://coinabul.tumblr.com/post/25890690158/khalahan-
and-namecoin-interview
53. Ali, S.T., McCorry, P., Lee, P.H.-J., Hao, F.:ZombieCoin: powering
next generation botnets with Bitcoin. In: Proceedings of the 2nd
Workshop on Bitcoin Research, BITCOIN’15 (2015)
54. Fox-Brewster, T.: Bitcoin’s Blockchain Offers Safe Haven For
Malware And Child Abuse, Warns Interpol. Forbes, March
27 2015. http://www.forbes.com/sites/thomasbrewster/2015/
03/27/bitcoin- blockchain-pollution-a- criminal-opportunity/#
6ae1d8583297
55. Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly
detection using software defined networking. In: Recent Advances
in Intrusion Detection. Springer, pp. 161–180 (2011)
56. Hoffman, C.: 7 Reasons to Use a Third-Party DNS Ser-
vice, Sept. 7 2013. http://www.howtogeek.com/167239/
7-reasons-to-use- a-third-party- dns-service/
57. Ford, R., Gordon, S.: Cent, five cent, ten cent, dollar: hitting botnets
where it really hurts. In: Proceedings of the 2006 workshop on New
security paradigms. ACM, pp. 3–10 (2006)
58. Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the
nature and causes of the wealth of internet miscreants. In: ACM
Conference on Computer and Communications Security, pp. 375–
388 (2007)
59. Li, Z., Liao, Q., Striegel, A.: Botnet economics: uncertainty mat-
ters. In: Managing Information Risk and the Economics of Security.
Springer, pp. 245–267 (2009)
60. Porras, P., Saïdi, H., Yegneswaran, V.: A foray into confickers logic
and rendezvous points. In: USENIX Workshop on Large-Scale
Exploits and Emergent Threats (2009)
61. Holz, T.,Steiner, M., Dahl, F., Biersack, E., Freiling, F.C.: Measure-
ments and mitigation of peer-to-peer-based botnets: a case study
on storm worm. In: Proceedings of the First USENIX Workshop
on Large-Scale Exploits and Emergent Threats (LEET), pp. 1–9
(2008)
62. Stock, B., Gobel, J., Engelberth, M., Freiling, F.C., Holz, T.:
Walowdac-analysis of a peer-to-peer botnet. In: 2009 European
Conference on Computer Network Defense (EC2ND). IEEE, pp.
13–20 (2009)
63. Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup:
understanding, detecting, and disrupting botnets. In: Proceedings
of the USENIX SRUTI Workshop, vol. 39, p. 44 (2005)
64. Ramsbrock, D., Wang, X., Jiang, X.: A first step towards live
botmaster traceback. In: Recent Advances in Intrusion Detection.
Springer, pp. 59–77 (2008)
65. Gu, G. Zhang, J., Lee, W.: Botsniffer: detecting botnet command
and control channels in network traffic. In: Proceedings of the
15th Annual Network and Distributed System Security Sympo-
sium, NDSS (2008)
66. Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: clustering
analysis of network traffic for protocol-and structure-independent
botnet detection. In: USENIX Security Symposium, pp. 139–154
(2008)
67. Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W., Lee, W.:
Bothunter: detecting malware infection through ids-driven dialog
correlation. USENIX Security 7, 1–16 (2007)
68. Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights
from the inside: a view of botnet management from infiltration. In:
USENIX Workshopon Large-Scale Exploits and Emergent Threats
(LEET) (2010)
69. Khattak, S., Ramay, N., Khan, K., Syed, A., Khayam, S.: A tax-
onomy of botnet behavior, detection, and defense. IEEE Commun.
Surv. Tutor. 16(2), 898–924 (2014)
70. Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., Salles, R.M.: Botnets:
a survey. Comput. Netw. 57(2), 378–403 (2013)
71. Lee, H.H., Chang, E.-C., Chan, M.C.: Pervasive random beacon
in the internet for covert coordination. In: Information Hiding.
Springer, pp. 53–61 (2005)
72. Szabo, J., Aycock, J., Acton, R., Denzinger, J.: The tale of the
weather worm. In: Proceedings of the 2008 ACM Symposium on
Applied Computing. ACM, pp. 2097–2102 (2008)
73. Starnberger, G., Kruegel, C., Kirda, E.: Overbot: a botnet proto-
col based on Kademlia. In: Proceedings of the 4th international
Conference on Security and Privacy in Communication Networks
(SecureComm). ACM, p. 13 (2008)
74. Nappa, A., Fattori, A., Balduzzi, M., DellAmico, M., Cavallaro,
L.: Take a deep breath: a stealthy, resilient and cost-effective botnet
using skype. In: Detection of Intrusions and Malware, and Vulner-
ability Assessment. Springer, pp. 81–100 (2010)
75. Whittaker, Z.: Skype ditched peer-to-peer supernodes for scal-
ability, not surveillance. http://www.zdnet.com/skype-ditched-
peer-to-peer-supernodes-for-scalability-not-surveillance- 70000
17215/, June 24, 2013
76. Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agar-
wal, P., Borisov, N.: Stegobot: a covert social network botnet. In:
Information Hiding. Springer, pp. 299–313 (2011)
77. Zeng, Y., Shin, K.G., Hu, X.: Design of SMS commanded-and-
controlled and P2P-structured mobile botnets. In: Proceedings of
the Fifth ACM conference on Security and Privacy in Wireless and
Mobile Networks (WiSec), pp. 137–148 (2012)
78. Desimone, J., Johnson, D., Yuan, B., Lutz, P.: Covert channel in the
bittorrent tracker protocol. In: International Conference on Security
and Management. Rochester Institute of Technology, 2012. http://
scholarworks.rit.edu/other/300
123
... Current research focuses on blockchain-based storage covert channels. Common carriers of blockchain-based covert storage channels are special fields for on-chain transactions, including the coinbase transaction of Bitcoin [14,15], custom storage fields [16][17][18], input/output addresses [19][20][21], and digital signatures [22][23][24]. However, these fields often exhibit distinct formats and characteristics [25], leading to noticeable discrepancies between fields containing secret information and normal ones, which in turn diminishes the stealthiness of the model. ...
Article
Full-text available
With the widespread adoption of blockchain technology, its public ledger characteristic enhances transaction transparency but also amplifies the risk of privacy breaches. Attackers can infer users’ real identities and behaviors by analyzing public transaction patterns and address relationships, posing a severe threat to users’ privacy and security, and thus hindering further advancements in blockchain applications. To address this challenge, covert communication has emerged as an effective strategy for safeguarding the privacy of blockchain users and preventing information leakage. But existing blockchain-based covert communication schemes rely solely on the immutability of blockchain itself for robustness and suffer from low transmission efficiency. To tackle these issues, this paper proposes a stealthy communication model with blockchain smart contract for bidding systems. The model initiates by preprocessing sensitive information using a secret-sharing algorithm-the Shamir (t, n) threshold scheme-and subsequently embeds this information into bidding amounts, facilitating the covert transfer of sensitive data. We implemented and deployed this model on the Ethereum platform and conducted comprehensive performance evaluations. To assess the stealthiness of our approach, we employed a suite of statistical tests including the CDF, the Kolmogorov–Smirnov test, Welch’s t-test and K–L divergence. These analyses confirmed that amounts carrying concealed information were statistically indistinguishable from regular transactions, thus validating the effectiveness of our solution in maintaining the anonymity and confidentiality of information transmission within the blockchain ecosystem.
... Biometrics, nameservers, and other suspicious behavior can be exploited [5]. DDoS attacks are typically launched via botnet due to several factors, including zombie connections' ability to translate simple attacks and threats effectively, difficulty in finding the main offender, and the possibility of misusing suggestions to take defensive action [6]. Virtual time is hard to identify. ...
... In scenarios employing the OP_RETURN field [6,24], these schemes exhibit precision, recall and F_SCORE values all exceeding 0.99, signifying their high non-covert nature. Alternatively, schemes that directly encode information into other adjustable fields, such as amount [4] and output address [25,26], maintain precision, recall and F_SCORE levels above 0.7. Comparatively, the DSA [14] scheme registers precision, recall and F_SCORE at 0.54, 0.53, and 0.54, respectively, making it the most covert among these schemes due to its values closely approximating 0.5. ...
Article
Full-text available
As a decentralized network infrastructure, the data sent to the blockchain are public and temper-evident. The cover of massive normal transactions in a blockchain network is ideal for constructing a stable and reliable covert channel to achieve one-to-many group covert communication. Existing blockchain-based covert communication schemes face challenges in balancing concealment, embedding rate and filtering efficiency, making them unsuitable for direct extension to group scenarios. Adopting a key-leakage scheme can increase the channel capacity while maintaining high concealment from external adversaries. However, it will also expose more knowledge to the receiver. A malicious receiver has the ability to steal a sender’s identity or replay historical transactions to control the entire channel. In this paper, we define the capabilities of malicious receivers in blockchain-based group covert communication scenarios and propose a group covert communication scheme resistant to transaction forgery attacks. Theoretical analysis and experiments prove that our covert transactions do not have any transaction correlativity, ensuring the unique authenticity of the sender’s identity while maintaining supreme concealment compared with the existing schemes. The precision and recall of machine learning detection results can reach 0.57–0.62 (0.5 is the ideal value).
... These may include the cost of network resources (such as the cloud servers that are used as C&C servers) and virtual currency. In many blockchain-based botnet schemes like [29], the attacker may perform a transaction to transmit some malicious instructions into a public chain (e.g., Bitcoin, ETH), which would bring great cost. It seems that purchasing network resources or virtual currency to implement the instruction transmission in C&C server mechanism is inevitable. ...
... By Sha et al. [13], a circular matrix equivalent sliding window is designed to replace the dense sampling, which solves the problem of unbalanced positive and negative samples in the tracking algorithm, and greatly reduces the computational effort and increases the tracking speed to more than 100s. The core-needle biopsy by Ali et al. [14] uses color features to characterize the appearance of the target, refines the RGB three-channel color into 11 color features, and then uses principal component analysis to reduce the 11-dimensional color features to 2 dimensional, and selects the most significant color features as the target features for tracking. A new transfer learning approach is proposed to improve the stability and training speed of generative adversarial networks (GANs). ...
Article
Full-text available
Multitarget tracking is prone to target loss, identity exchange, and jumping problems in the context of complex background, target occlusion, target scale, and pose transformation. In this paper, we proposed a target tracking algorithm based on the conditional adversarial generative twin networks, using the improved you only look once multitarget association algorithm to classify and detect the position of the target to be detected in the current frame, constructing a feature extraction model using generative adversarial networks (GANs) to learn the main features and subtle features of the target, and then using GANs to generate the motion trajectories of multiple targets, finally fuzing the motion and appearance information of the target to obtain the optimal match. The optimal matching of the tracked targets is obtained. The experimental results under OTB2015 and IVOT2018 datasets demonstrate that the proposed multitarget tracking algorithm has high accuracy and robustness, with 65% less jumps and 0.25% more accuracy than the current algorithms with minimal identity exchange and jumps.
Article
Covert communication is an method that plays an important role in secure data transmission. The technology embeds covert information into data and propagates it through covert channels. The communication quality depends on the choice of channel and data embedding techniques. Recently, blockchain has emerged to become the preferred channel to carry out covert communication for its decentralization and anonymity features. Existing covert transaction methods are constructed transaction-by-transaction , which makes them immune to text analysis-based detection methods. However, it is easy to expose their features on the transaction graph level. Unfortunately, there is yet no method to detect covert transactions by the features of transaction graph. In this paper, we propose a covert transaction detection method based on graph structure. By analyzing the statistical features of graph structure for addresses, we can infer whether they are the participants of covert transactions. Furthermore, we design a protection method of covert transactions based on graph generation networks. By adjusting the structural features between different addresses, our method enhances the security of multiple interrelated covert transactions. Experimental analysis on the Bitcoin Testnet verifies the security and the efficiency of the proposed methods.
Article
Although botnet had been at the top of the list of main threats to the cyber world for an extended period of time, its harmfulness has been constrained nowadays due to the development of kaleidoscopic network security enforcing tools and people’s increasing awareness. And the underlying technology of the botnet has been stagnant ascribing to many drawbacks such as inadequate protection of the identity of the Botmaster and weak resilience of the botnet’s infrastructure. In this paper, we first introduce a new classification of the botnet based on botnets’ underlying network, then briefly analyze the main flaws of the traditional botnet and some looming Blockchain-based botnets, with pros and cons of leveraging Blockchain to construct botnets. Furthermore, we propose One IOTA of Countless Legions (OICL), a newfangled versatile botnet infrastructure that overcomes the bottlenecks that other contemporaries can’t eliminate. It leverages Blockchain, AKA Distributed Ledger Technology (DLT), to be its premises and uses many advantages of it without paying too many trade-offs. Also, we invent a whole set of communication protocols for OICL and a novel scheme called Proof of Honest (PoH) to identify the espionage infiltrated into the botnet to further promote the robustness. In addition, we discover and propose a mechanism called Collateral Damage Binding (CDB), which proves that the botnet has it such as OICL is far more robust than those who don’t. Performance evaluations show that OICL is effective, more cost-saving, and fast-responding compared with the Bitcoin-based botnets as baselines.
Article
While various covert botnets were proposed in the past, they still lack complete anonymization for their servers/botmasters or suffer from slow communication between the botmaster and the bots. In this paper, we first propose a new generation hybrid botnet that covertly and efficiently communicates over Bitcoin Lightning Network (LN), called LNBot. Exploiting various anonymity features of LN, we show the feasibility of a scalable two-layer botnet which completely anonymizes the identity of the botmaster. In the first layer, the botmaster anonymously sends the commands to the command and control (C&C) servers through regular LN payments. Specifically, LNBot allows botmaster's commands to be sent in the form of surreptitious multi-hop LN payments, where the commands are either encoded with the payments or attached to the payments to provide covert communications. In the second layer, C&C servers further relay those commands to the bots in their mini-botnets to launch any type of attacks to victim machines. We further improve on this design by introducing D-LNBot; a distributed version of LNBot that generates its C&C servers by infecting users on the Internet and forms the C&C connections by opening channels to the existing nodes on LN. In contrary to the LNBot, the whole botnet formation phase is distributed and the botmaster is never involved in the process. By utilizing Bitcoin's Testnet and the new message attachment feature of LN, we show that D-LNBot can be run for free and commands are propagated faster to all the C&C servers compared to LNBot. We presented proof-of-concept implementations for both LNBot and D-LNBot on the actual LN and extensively analyzed their delay and cost performance. Finally, we also provide and discuss a list of potential countermeasures to detect LNBot and D-LNBot activities and minimize their impacts.
Conference Paper
Full-text available
Botnets are the preeminent source of online crime and arguably the greatest threat to the Internet infrastructure. In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that runs on the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most notably the fact that Bitcoin is designed to resist the very regulatory processes currently used to combat botnets. We believe this is a desirable avenue botmasters may explore in the near future and our work is intended as a first step towards devising effective countermeasures.
Conference Paper
Full-text available
In this paper, we perform a review of elliptic curve cryptography (ECC), as it is used in practice today, in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems.
Conference Paper
Full-text available
We present an in depth static analysis of the Conficker worm, primarily through the exploration of the client-side binary logic. In this paper, we summarize various aspects of the inner workings of binary variants A and B, which were the first in a chain of recent revisions aimed to keep this epidemic resistant to ongoing eradication attempts. These first two variants have combined to produce a multi-million node population of infected hosts, whose true main purpose has yet to be fully understood. We further validate aspects of our analysis through in-situ network analyses, and discuss some attribution links about its origins.
Conference Paper
Full-text available
Computer criminals regularly construct large distributed attack networks comprised of many thousands of compromised computers around the globe. Once constituted, these attack networks are used to perform computer crimes, creating yet other sets of victims of secondary computer crimes, such as denial of service attacks, spam delivery, theft of personal and financial information for performing fraud, exfiltration of proprietary information for competitive advantage (industrial espionage), etc. The arms race between criminal actors who create and operate botnets and the computer security industry and research community who are actively trying to take these botnets down is escalating in aggressiveness. As the sophistication level of botnet engineering and operations increases, so does the demand on reverse engineering, understanding weaknesses in design that can be exploited on the defensive (or counter-offensive) side, and the possibility that actions to take down or eradicate the botnet may cause unintended consequences.
Article
Exploiting recent advances in monitoring technology and the drop of its costs, authoritarian and oppressive regimes are tightening the grip around the virtual lives of their citizens. Meanwhile, the dissidents, oppressed by these regimes, are organizing online, cloaking their activity with anti-censorship systems that typically consist of a network of anonymizing proxies. The censors have become well aware of this, and they are systematically finding and blocking all the entry points to these networks. So far, they have been quite successful. We believe that, to achieve resilience to blocking, anti-censorship systems must abandon the idea of having a limited number of entry points. Instead, they should establish first contact in an online location arbitrarily chosen by each of their users. To explore this idea, we have developed Message In A Bottle, a protocol where any blog post becomes a potential "drop point" for hidden messages. We have developed and released a proof-of-concept application of our system, and demonstrated its feasibility. To block this system, censors are left with a needle-in-a-haystack problem: Unable to identify what bears hidden messages, they must block everything, effectively disconnecting their own network from a large part of the Internet. This, hopefully, is a cost too high to bear.
Article
We present a taxonomy of Internet censorship resistance strategies and techniques extracted from analyz-ing proposed and implemented systems. We categorize the strategies into the following six types to form the CORDON taxonomy: Collateral damage, where the damage caused by censorship would outweigh its benefits; Outside scope of influ-ence, where the censor is powerless to act due to it having no control over entities or traffic; Rate limiting, where the censor's monitoring abilities are curtailed; Decoupled communication, where bidirectional communications are asynchronous and asymmetric to take advantage of weaknesses in the censor's defences or hide the fact that the communications are related; Overwhelm, where the censor is deluged with large amounts of network traffic, paths and vectors to increase the cost and difficulty of effective censorship; and No target, where the censor is unable to accurately detect and identify the people, infrastructure and network traffic to target. For each strategy, we identify the common supporting techniques used or proposed by resistance systems. We provide a detailed discussion of censors and their limitations, and outline the censor's decision-making process based on its utility, resources, and capabilities. We identify the censor's attack surfaces to provide context tying the censor capabilities and the resistance techniques together. We further identify future work needed to solve the fundamental problems facing all systems today: rendezvous protocols, bootstrapping without the need for client software, transports that stay ahead of the censor capabilities, and systems that scale better than the current batch. Apply-ing CORDON to censorship resistance research will provide researchers a better understanding of the techniques and interactions that will help produce more effective and reliable censorship resistance solutions.
Article
A number of detection and defense mechanisms have emerged in the last decade to tackle the botnet phenomenon. It is important to organize this knowledge to better understand the botnet problem and its solution space. In this paper, we structure existing botnet literature into three comprehensive taxonomies of botnet behavioral features, detection and defenses. This elevated view highlights opportunities for network defense by revealing shortcomings in existing approaches. We introduce the notion of a dimension to denote different criteria which can be used to classify botnet detection techniques. We demonstrate that classification by dimensions is particularly useful for evaluating botnet detection mechanisms through various metrics of interest. We also show how botnet behavioral features from the first taxonomy affect the accuracy of the detection approaches in the second taxonomy. This information can be used to devise integrated detection strategies by combining complementary approaches. To provide real-world context, we liberally augment our discussions with relevant examples from security research and products.
Conference Paper
Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable. Through a detailed analysis of this new Zeus variant, we demonstrate the high resilience of state of the art peer-to-peer botnets in general, and of peer-to-peer Zeus in particular.
Article
Botnets, which are networks formed by malware-compromised machines, have become a serious threat to the Internet. Such networks have been created to conduct large-scale illegal activities, even jeopardizing the operation of private and public services in several countries around the world. Although research on the topic of botnets is relatively new, it has been the subject of increasing interest in recent years and has spawned a growing number of publications. However, existing studies remain somewhat limited in scope and do not generally include recent research and developments. This paper presents a comprehensive review that broadly discusses the botnet problem, briefly summarizes the previously published studies and supplements these with a wide ranging discussion of recent works and solution proposals spanning the entire botnet research field. This paper also presents and discusses a list of the prominent and persistent research problems that remain open.
Article
Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and or- ganizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, busi- nesses, and governments around the world. These sys- tems are infected with a bot that communicates with a bot controller and other bots to form what is commonly referred to as a zombie army or botnet. Botnets are a very real and quickly evolving problem that is still not well understood or studied. In this paper we outline the origins and structure of bots and botnets and use data from the operator community, the Internet Motion Sen- sor project, and a honeypot experiment to illustrate the botnet problem today. We then study the effectiveness of detecting botnets by directly monitoring IRC communi- cation or other command and control activity and show a more comprehensive approach is required. We con- clude by describing a system to detect botnets that utilize advanced command and control systems by correlating secondary detection data from multiple sources.